CVE-2025-61229 is a local privilege escalation vulnerability affecting Shirt Pocket's SuperDuper! backup software versions 3.10 and earlier on macOS platforms. The vulnerability arises because the software allows modification of the default task template, which is used to define preflight scripts executed before backup tasks. An attacker with local access can alter this template to inject arbitrary scripts that run with root privileges and Full Disk Access, bypassing macOS's built-in privacy controls designed to restrict application access to sensitive data. This means an attacker can execute code with the highest system privileges, potentially leading to full system compromise, unauthorized data access, or persistence mechanisms. The vulnerability does not require remote access or user interaction beyond the initial local modification, making it a significant risk in environments where multiple users have local access or where endpoint security is weak. No CVSS score has been assigned yet, and no public exploits have been observed, but the technical details indicate a critical weakness in privilege separation and access control within the backup software. The lack of patch links suggests that a fix is not yet publicly available, emphasizing the need for immediate mitigation steps. Organizations relying on SuperDuper! for backups on macOS should prioritize monitoring and restricting local user permissions and prepare to deploy patches once released.

For European organizations, this vulnerability poses a serious risk due to the potential for full system compromise on macOS devices. Organizations handling sensitive or regulated data (e.g., financial institutions, healthcare providers, government agencies) could face data breaches, loss of data integrity, or operational disruptions. The ability to bypass macOS privacy controls undermines endpoint security and could facilitate lateral movement within networks if attackers gain initial local access. This is particularly concerning in environments with shared workstations or insufficient endpoint protection. The impact extends to compliance risks under GDPR and other data protection regulations, as unauthorized data access or exfiltration could lead to significant legal and financial penalties. Additionally, organizations using SuperDuper! as part of their backup strategy may face risks to backup integrity and availability, potentially compromising disaster recovery capabilities.

1. Restrict local user permissions to prevent unauthorized modification of SuperDuper! task templates. 2. Implement strict endpoint security controls, including application whitelisting and monitoring for unauthorized script execution. 3. Regularly audit and monitor backup task configurations and preflight scripts for unexpected changes. 4. Limit the number of users with local administrative privileges on macOS systems. 5. Employ macOS security features such as System Integrity Protection (SIP) and Full Disk Access controls to the fullest extent possible. 6. Prepare to apply vendor patches or updates immediately once they become available. 7. Consider alternative backup solutions if patching is delayed and risk is unacceptable. 8. Educate users about the risks of local privilege escalation and enforce strong physical and logical access controls to macOS endpoints.